Leyton Jefferies, Head of Cyber Security Services, CSI
On Friday the NHS was hit by the biggest ransomware attack the UK has seen. Here I’ll explain what you should know about the attack and advise what you need to do today to protect your organisation.
What Just Happened?
A ransomware attack known as WannaCry is spreading very rapidly among unpatched Windows systems worldwide. The infection vector can present itself in multiple ways, such as a link within an email, or a link within a PDF, or as a password encrypted ZIP file which contains a PDF which starts the infection chain.
The WannaCry ransomware attacks have been extensive, targeting healthcare organisations, including doctor’s offices and hospitals, as well as telecommunication systems and gas and electric companies.
Early infection reports originated in Europe but have since spread across the United Kingdom, Spain, Russia, Pakistan, and potentially other regions.
How This Attack Has Been Unfolding –
- Early analysis of the worm reveals that it’s taking advantage of a recent Microsoft Windows exploit called EternalBlue that enables the sharing of files, which is how the ransomware spread.
- Targeting is likely in bulk, via massive phishing campaigns delivering .zip archives with themes such as fake invoices, job offers, security warnings, undelivered email, etc.
- Once an infection takes place, Wanna encrypts victim files using the AES cipher, and demands a Bitcoin ransom that increases in value as time passes.
- The ransom demands observed require victims to pay either $300 or $600 USD worth of Bitcoin for a decryption key that can release the victim’s data.
- Intelligence has verified at least several thousand dollars’ worth of ransom payments already made to criminal-controlled Bitcoin (BTC) addresses.
Current Recommendations –
The current recommendation is to ensure that the updates cited in the Microsoft Security Bulletin Summary for March 2017 are installed on endpoints, and monitor news outlets for updates.
There has also been a new release from Microsoft containing the following points:
- Windows Defender has been updated to detect and remove the offending program.
- In addition to the official update in March, a new update has been released for legacy systems (Windows XP, Server 2003, Windows 8, etc.) to patch for this vulnerability.
If you have any such systems remaining in your environment, it is advised to apply this update as soon as is possible. in order to minimize the attack surface for the malware.
Protect Your Organisation Today –
Follow the following steps to protect your organisation from ransomware and cyber attacks.
- Conduct proper and timely backups of data so it can be used to restore original files after a data loss event.
- Use security solutions with behaviour based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and yet unknown samples of ransomware. CylancePROTECT as a CSI managed service predicts and prevents the WannaCry ransomware for WINDOWS, MAC AND LINUX endpoints both online and offline AND EMBEDDED WINDOWS.
- We encourage you to stay up-to-date with this latest threat, and protect yourselves with CylancePROTECT. It has proven highly effective in preventing ransomware attacks. Please contact your Client Director for more information.
- Visit The “No More Ransom” website, a joint initiative with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
- Audit installed software, not only on endpoints, but also on all nodes and servers in the network and keep it updated.
- Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes. Review external vendor and 3rd party security policies in case they have direct access to the control network.
- Educate employees, paying special attention to operational and engineering staff and their awareness of recent threats and attacks.
- Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response in order to block this type of attack before it reaches critically important objects.
What Next –
To resist ransomware, you need to stay one step ahead of the cybercriminals and prepare in advance. CSI can help you proactively protect you and assist with remediation services. If you’d like to speak to me or CSI Cyber Security team, request a callback.